GitHub CLI 2.49.0
Support for GitHub Artifact Attestations
v2.49.0
release introduces the attestation
command set for downloading and verifying attestations about artifacts built in GitHub Actions! This is part of the larger Artifact Attestations initiative. An artifact attestation is a piece of cryptographically signed metadata that is generated as part of your artifact build process. These attestations bind artifacts to the details of the workflow run that produced them, and allow you to guarantee the integrity and provenance of any artifact built in GitHub Actions.
# Verify a local artifact
gh attestation verify artifact.bin -o <your org>
# Verify a local artifact against a local artifact attestation
gh attestation verify artifact.bin -b ./artifact-v0.0.1-bundle.json -o <your org>
# Verify an OCI image
gh attestation verify oci://ghcr.io/foo/bar:latest -o <your org>
# Download artifact attestations
gh attestation download artifact.bin -o <your org>
To get started, check out gh help attestation. You can also use the gh at <command>
alias for short.
What's Changed
- Improve gh run rerun docs by @sochotnicky in #8969
- build(deps): bump golang.org/x/net from 0.21.0 to 0.23.0 by @dependabot in #8981
- Update
sigstore-go
dependency to v0.3.0 by @malancas in #8977 gh attestation tuf-root-verify
offline test fix by @malancas in #8975- Update
gh attestation verify
output by @malancas in #8991 - build(deps): bump google.golang.org/grpc from 1.62.1 to 1.62.2 by @dependabot in #8989
- Remove
Hidden
flag fromgh attestation
command by @malancas in #8998 - Add colon for
gh secret set
by @NeroBlackstone in #9004 - Improve errors when loading bundle locally fails by @williammartin in #8996
- Support offline mode for
gh attestation verify
by @steiza in #8997 - Add
projectsV2
to JSON fields ofgh repo
commands by @babakks in #9007 - Support long URLs in
gh repo clone
by @babakks in #9008 - Fix issue with closing pager stream by @babakks in #9020
- proof of concept for flag-level disable auth check by @andyfeller in #9000
- Be more general with attestation host checks by @williammartin in #9019
- Add beta designation on attestation command set by @andyfeller in #9022
- Tweaked gh attestation help strings to generate nicer cli manual site. by @phillmv in #9025
- Update cli/go-gh to v2.9.0 by @andyfeller in #9023
- Document repo clone protocol behaviour by @williammartin in #9030
New Contributors
- @sochotnicky made their first contribution in #8969
- @NeroBlackstone made their first contribution in #9004
- @phillmv made their first contribution in #9025
Full Changelog: v2.48.0...v2.49.0